Due DiligenceDue DiligenceData Rooms

Due Diligence: The Complete Guide (Process, Types and Checklist)

Due diligence is the work that happens between "we like this deal" and "we signed it." It is the structured investigation a buyer, investor or partner runs to confirm that what they were told matches

By Aryan Pereira12 min readUpdated July 2026
Due Diligence: The Complete Guide (Process, Types and Checklist)
On this page

Due diligence is the work that happens between "we like this deal" and "we signed it." It is the structured investigation a buyer, investor or partner runs to confirm that what they were told matches what is actually true, before money changes hands. I have sat on both sides of it: raising capital where my company was the one being examined, and helping investors pick apart companies they were about to buy into. The same lesson shows up every time. The deals that close cleanly are the ones where the underlying information was organized, complete and easy to verify. The deals that fall apart in the final weeks usually die in diligence, not in negotiation.

This guide is the hub for everything we publish on the subject. It covers what due diligence is, why it matters, the main types and stages, the end-to-end process, and the role a virtual data room plays in keeping the whole thing on schedule. Wherever a topic deserves its own deep dive, I link out to a dedicated guide so you can go as far down any branch as you need.

What due diligence actually means

In plain terms, due diligence is reasonable care taken before entering a transaction. The phrase started in securities law, where a broker who had done a genuine, careful investigation of a company could defend against claims of misrepresentation. The principle spread far beyond finance. Today the term covers any disciplined review someone runs before they commit: acquiring a company, leading a funding round, signing a major supplier, buying a building, or onboarding a customer who carries regulatory risk.

The goal is not to find a reason to walk away. The goal is to replace assumptions with evidence. Before diligence, a buyer has a pitch deck, a model and a good feeling. After diligence, they should have a verified picture of the revenue, the contracts, the liabilities, the technology and the people, plus a clear list of the risks they are choosing to accept. Sometimes that picture kills the deal. More often it adjusts the price, reshapes the terms, or surfaces conditions that have to be met before closing.

Why due diligence matters

Skipping or rushing diligence is how acquirers inherit lawsuits, investors fund businesses with hidden churn, and partners discover too late that a vendor cannot deliver. The cost of finding a problem during diligence is a renegotiation. The cost of finding the same problem after closing is litigation, a writedown, or a failed integration.

Diligence matters to both sides for different reasons:

  • For the buyer or investor, it is risk management. It validates the thesis, prices the risk, and produces the evidence that an investment committee or board needs to approve the deal.
  • For the seller or company raising money, it is about momentum and trust. A founder who can answer hard questions quickly, with clean documents, signals that the business is well run. A founder who scrambles for every file signals the opposite, and every delay gives the other side a reason to lower the offer or walk.

I have watched two companies with near-identical metrics get very different outcomes purely because one had its house in order and the other did not. Diligence is where preparation visibly pays off.

The main types of due diligence

"Due diligence" is really a family of parallel reviews, each handled by a different specialist. On a serious transaction several of these run at once. The table below maps the common types to what each one investigates and who typically owns it.

Type of due diligenceWhat it examinesWho usually runs it
Financial due diligenceRevenue quality, margins, working capital, debt, the accuracy of the modelAccountants, finance team, buy-side analysts
Commercial due diligenceMarket size, competitive position, customer demand, growth assumptionsStrategy advisors, corporate development
Technical due diligenceArchitecture, code quality, scalability, technical debt, securityCTO, external engineers, security reviewers
Software due diligenceCodebase, open-source licensing, IP ownership of the softwareEngineering reviewers, IP counsel
IT due diligenceSystems, infrastructure, tooling, integration cost and riskIT leadership, infrastructure consultants
Legal due diligenceContracts, corporate structure, litigation, IP, complianceLawyers, in-house counsel
Operational due diligenceProcesses, supply, headcount, the ability to actually run the businessOperations leaders, COO
Customer due diligenceIdentity, ownership and risk of a counterparty, often for AML rulesCompliance, onboarding teams
Enhanced due diligenceDeeper checks on higher-risk customers and counterpartiesCompliance, risk teams
ESG due diligenceEnvironmental, social and governance exposureESG specialists, sustainability teams
Environmental due diligenceContamination, environmental liability, especially in real assetsEnvironmental consultants
Vendor due diligenceA seller-commissioned review prepared for buyers in advanceSell-side advisors
Supply chain due diligenceSupplier reliability, concentration, ethics and continuityProcurement, operations
Real estate due diligenceTitle, zoning, condition, leases and valuation of propertySurveyors, real estate counsel

A few of these deserve a note on context. In an acquisition, the whole effort sits under M&A due diligence, which coordinates the financial, legal, commercial and technical streams into one decision. In a fund context, private equity due diligence applies the same disciplines with an investor's lens on returns and exit. And on the compliance side, customer and enhanced reviews are less about a single deal and more about an ongoing obligation to know who you are dealing with.

The due diligence process, end to end

However many specialist streams are running, the overall process follows the same arc. Here is how a typical transaction moves from interest to close.

1. Scoping and planning

Before anyone requests a document, the acquiring side decides what it actually needs to verify. This is where the thesis turns into questions. What would have to be true for this deal to be a good one, and what evidence would prove it? The output is a request list, a timeline, and a clear division of labor across the financial, legal, technical and commercial teams.

2. Information request and the data room

The investigating side sends a due diligence checklist, and the company being reviewed populates a secure repository with the answers. That repository is the virtual data room. Every contract, financial statement, cap table, employment agreement and policy lives there, organized so reviewers can find what they need without a dozen email threads. I cover exactly how to structure that repository in our due diligence data room checklist.

3. Review and analysis

Specialists work through the room. Accountants test the numbers, lawyers read the contracts, engineers inspect the systems. As they go, questions pile up. A good process handles those through a structured Q&A log inside the data room rather than scattered messages, so every answer is recorded and attributable.

4. Findings and the report

Each stream documents what it found, flags the risks, and quantifies them where possible. These roll up into a due diligence report that gives decision-makers a single, honest view of the target. The report is what an investment committee or board actually votes on.

5. Negotiation, conditions and close

Findings feed straight back into the deal. A discovered liability might cut the price, add an indemnity, push money into escrow, or become a condition that must be cleared before signing. Once the open items are resolved, the deal closes, and in many cases a final round of confirmatory diligence checks that nothing material changed between signing and closing.

The whole arc can run a few weeks for a small deal or several months for a complex acquisition. The single biggest variable in how long it takes is how well prepared the company being reviewed was on day one.

The role of a virtual data room

For most of diligence history, this all happened in a physical room: a locked office filled with binders, where one bidder at a time flew in to read documents under supervision. The virtual data room replaced that room with a secure, audited online workspace, and it changed the economics of diligence completely. Multiple parties can review in parallel, from anywhere, while the seller keeps tight control over who sees what.

A capable data room does four things that ordinary file sharing cannot:

  1. Granular access control. You decide, per user and per folder, who can view, download or only preview a document. Sensitive material can be ring-fenced from junior reviewers or competing bidders.
  2. A full audit trail. Every view, every download, every Q&A response is logged. You can see which investor spent forty minutes on the customer contracts and which never opened them, which is genuine signal during a raise.
  3. Controlled document handling. Watermarking, view-only access and the ability to revoke access after the fact keep your most sensitive files from leaking, even if a deal goes cold.
  4. Structure and search. A well-organized room with clear indexing turns weeks of back-and-forth into a self-serve experience for reviewers.

If you are choosing a tool, the trade-offs are real. The legacy enterprise platforms are powerful but quote-based and expensive, and they are built for billion-dollar M&A rather than a Series A. I wrote a fuller comparison in our guide to the best data room for due diligence, and a breakdown of what these tools actually cost in virtual data room cost. The short version: match the tool to the deal. You do not need an enterprise contract to run a clean seed or growth round.

How Plox fits in

Plox is the secure data room I reach for when the priority is moving fast without giving up control. It was built for founders, investors and dealmakers who need the core of what a data room does, granular permissions, watermarking, view-only sharing and a complete audit trail, without the procurement cycle and seat minimums of the legacy platforms.

In practice, the value shows up in two places. When I am raising, I can stand up a clean, well-structured room in an afternoon, share it with a controlled investor list, and watch the engagement analytics to see who is genuinely working through the materials. When I am on the buy side, the audit trail and Q&A keep the review organized instead of buried in email. It is not the right fit for every transaction. A regulated, multi-billion-dollar carve-out may genuinely need a heavyweight enterprise suite, and I will say so. But for the vast majority of raises and mid-market deals, a focused, modern room covers it. You can see how it is set up on the data rooms page, and the plans on the pricing page.

If you need outside hands rather than software, our overview of due diligence services walks through when it makes sense to bring in advisors and what they typically charge for.

A short pre-diligence checklist for the company being reviewed

If you are the one being examined, the work you do before diligence opens determines how it goes. Here is the minimum I want ready before I invite anyone in:

AreaHave ready before diligence opens
CorporateIncorporation docs, cap table, board minutes, shareholder agreements
FinancialAudited or reviewed statements, management accounts, the model, debt schedule
CommercialCustomer list, key contracts, churn and retention data, pipeline
LegalMaterial contracts, IP assignments, litigation history, compliance records
PeopleOrg chart, key employment and contractor agreements, option grants
TechnicalArchitecture overview, security posture, third-party and open-source licenses

Have these organized in a structured room, not scattered across drives and inboxes, and you turn diligence from a fire drill into a formality.

Frequently asked questions

How long does due diligence take?

It depends entirely on the size and complexity of the deal and on how prepared the company being reviewed is. A small, well-organized transaction can wrap in two to four weeks. A complex acquisition with several specialist streams can run two to three months or longer. Preparation is the lever you control: a complete, well-structured data room on day one is the single fastest way to compress the timeline.

What is the difference between due diligence and an audit?

An audit is a formal, standards-based examination of financial statements, usually performed by independent accountants to express an opinion on accuracy. Due diligence is broader and deal-specific. It pulls in financial, legal, commercial, technical and operational review to support a particular decision, such as buying a company or leading a round. An audit may be one input into financial due diligence, but diligence covers far more ground.

Who pays for due diligence?

In most transactions each side bears its own diligence costs. The buyer or investor pays for the advisors who investigate the target, and the company being reviewed bears the internal cost of preparing and staffing the data room. Vendor due diligence is the exception: there the seller commissions and pays for a report in advance, to give buyers a head start and keep the process moving.

Can due diligence kill a deal?

Yes, and that is part of its job. If diligence surfaces a material problem, a large undisclosed liability, fabricated numbers, a broken cap table, a deal can and should collapse. More often, findings do not kill the deal but reshape it through a lower price, an indemnity, an escrow, or conditions that have to be satisfied before closing.

Do I need a virtual data room for due diligence?

For anything beyond a handful of documents, yes. A virtual data room gives you permissioned access, watermarking, view-only sharing and a complete audit trail, none of which ordinary cloud folders provide. It also signals competence to the other side. The right tool depends on the deal size, which is why I compare options in our guide to the best data room for due diligence.

What is the deliverable at the end of due diligence?

The main output is a due diligence report: a structured summary of what each review stream found, the risks identified, and how serious they are. That report is what an investment committee, board or buyer uses to make the final call, and it usually drives the conditions and price adjustments that get written into the final agreement.

Aryan Pereira

Written by Aryan Pereira · Co-founder, Plox

Aryan co-founded Plox. He works on the product side, mostly on how viewers experience a shared link and what the sender gets to see back.

Connect on LinkedIn